Fixed permissions and referrers

app/views/main.py

@@ -26,6 +26,15 @@ def health():
     return jsonify(dict(status="OK", version=current_app.config['APP_VERSION']))
 
 
+@main_blueprint.route('/token', methods=['GET', 'POST'])
+@auth.authorize_admins('default')
+def token():
+    user_session = UserSession(session)
+    return jsonify(access_token=user_session.access_token,
+                   id_token=user_session.id_token,
+                   userinfo=user_session.userinfo)
+
+
 @main_blueprint.route('/', methods=['GET', 'POST'])
 @auth.access_control('default')
 def index():
@@ -34,17 +43,8 @@ def index():
     userNodeList = [n for n in Node().list().nodes if n.user.name == hs_user]
     return render_template('index.html',
                            userNodeList=userNodeList,
-                           session=user_session)
-
-
-@main_blueprint.route('/token', methods=['GET', 'POST'])
-@auth.authorize_admins('default')
-def token():
-    user_session = UserSession(session)
-    # return jsonify(user_session.userinfo)
-    return jsonify(access_token=user_session.access_token,
-                   id_token=user_session.id_token,
-                   userinfo=user_session.userinfo)
+                           session=user_session,
+                           auth=auth)
 
 
 @main_blueprint.route('/logout')
@@ -62,12 +62,14 @@ def nodes():
 
 
 @main_blueprint.route('/node/<int:nodeId>', methods=['GET'])
-@auth.authorize_admins('default')
+@auth.access_control('default')
 def node(nodeId):
     # There is a bug in HS api with retrieving a single node
     # and we added a workaround to hsapi, so node.get() returns a
     # v1Node object instead of v1NodeResponse, so we access directly
     # `node`, instead of `node.node`
+    if not auth.userOrAdmin(auth.username):
+        return auth.unathorized
     node = Node().get(nodeId)
     routes = Node().routes(nodeId)
     isExitNode = any(